Naavi.org

Way back in 2015, Naavi had initiated India’s first survey of Cyber Insurance.  It was a survey to ascertain the status of the industry at that point of time. We presume it was useful to the industry and today the industry has grown by leaps and bounds.

Now is the time for DPDPA Compliance and the entire industry is looking for appropriate tools for implementing Compliance. FDPPI has been doing its bit to assist the industry with its DGPSI Compliance framework. But the industry is eagerly looking forward to technical tools for data discovery, classification, consent Management and other requirements of compliance.

There are many international software products which are also claiming to have already customised for DPDPA. Most of them have substituted the key words such as Data Fiduciary for Data Controller but the skeleton of the engine is still the GDPR. Many Indian companies are trying to adopt DPDPA concepts into the GDPR  framework since changing over to another software is very cumbersome and expensive. Putting the DPDPA into the body created for GDPR is like an orthodox Indian soul getting into a foreigner’s body on reincarnation.

There are many Indian companies who are trying to build indigenous products and some of them (Not all)  have also been part of the MeitY exercise for developing an open source Consent Management Platform.

In this scenario, it is time for the launch of the First Indian National Survey of DPDPA Compliance tools.

FDPPI is therefore launching an open survey in this regard and is preparing to publish  the questionnaire as part of its “International Privacy Day” celebration.

At the same time Naavi is also launching his next book in E Form named “Wisdom Companion for Champions of DPDPA”

This book will be the fourth in the series of books released by Naavi starting with “Guardians of Privacy, a comprehensive  handbook on DPDPA 2023 and DGPSI, DGPSI, the perfect prescription for DPDPA Compliance and Taming the twin challenges of DPDPA And AI”.

These books trace the progressive development of Information and converting them into knowledge and implementation skills. The new book will cover the DPDPA Rules along with the recent additions to DGPSI family namely DGPSI-GDPR, DGPSI-HR and DGPSI-Data Processor.

The Print version may take a little while but the Kindle version will be ready by this week.

There is a rumour that the Government may pre-pone the implementation of DPDPA from 13th May 2027 to 13th may 2026. Whether it materializes or not, FDPPI is racing ahead with its activities to prepare the country for the DPDPA Compliance Era.

Naavi

FDPPI has set up a SIG to evaluate Privacy Management tools available for DPDPA Compliance. The SIG is currently collecting information from users and evaluating them. Several Indian solutions providers are providing brief demos  to the FDPPI members during the Jnaana Vardhini Sessions in 2026.

This exercise will continue and will  enable Indian solution providers to reach out to the professionals who are associated with FDPPI.

In this context, it is noted that Forrester Wave has published it’s Q4-2025 report which has  placed One  Trust, Securiti and Big ID as the leading software solutions for Privacy Management. Transcend, Relyance AI, Truyo and  Trust Arc have been  placed in the “Strong performers” category. Additionally a couple of more software like Ketch and Osano are also  in the list of contenders for the leadership.

The  FDPPI’s SIG for Tool evaluation will be making a special evaluation of these Nine tools from the DPDPA perspective.

We are aware that “Only the wearer knows where the shoe pinches”. Hence to evaluate these solutions further,  the  SIG invites information from users in a survey to be set up for the purpose.

Participation is open to Indian Companies who are using and exploring to use any of these six tools. The Survey form would be distributed to the companies individually and a representative of FDPPI may contact  them for collecting their views. The report when generated would be shared with these participating companies free of charge. The results may also be separately collated into a document with anonymised attribution and released to others.

Organizations interested in participating in the survey and obtain a copy of the final report are requested to contact Naavi.

FDPPI may also share a complementary recommendation on how the usage of the tool can be customized for DGPSI compliance.

Naavi

Most of us are familiar with the “Periodic Table” used in Chemistry to group elements into different groups for better understanding  their properties and also to predict some missing members of a pattern.

Now Mr  Martin Keen of IBM Technology has brought out an interesting presentation of a “Periodic Table for AI Terms” in this video

The video tries to briefly explain and categorize the terms used in the AI domain into a table of 4 rows and five columns.

The Four rows are Primitive, Compositions, Deployment and Emerging terms.

The five columns are five groups  of terms namely, Reactive, Retrieval, Orchestrations, Validation and Models .

It is an excellent  attempt to assist decoding of the technical terms used by the industry.

A clean table for better readability is here:

Naavi

When CBDC was introduced in India (Refer: “Article CBDC Will change the World Economic Order” in 2022, we had indicated that the CBDC-W was useful in substituting the SWIFT mechanism and can be extended to Exporters and Importers. We had however held that CBDC-R for retail use may not be that useful since in India we already have the UPI system.

Much before the concept of CBDC emerged, we had commented in our article in 2016 ” Here is how the Currency shortage can Vanish in a jiffy with Digi-Real Currency“.  We had also explored in 2022, the impact of Data Protection Bill 2022 on CDC in our article “CBDC or E Rupee and the Data Protection Bill 2022” .

The concepts discussed in these articles remain relevant today and gains further strength not only because DPDPA has been enacted but also because India has now actively begun cooperating with the BRICS countries to introduce a currency exchange mechanism through the CBDCs of each country.

Watch the video from PGurus in this regard.

The video discusses the possible exchange system where settlements between the BRICS Countries may move through a central exchange currency which could be the CBDC-Rupee. In this system any payment to be made between Country A to Country B  will first be converted from the importer country to E-Rupee and then E-Rupee to the CBDC of the Exporter country.

The Clearing mechanism can be owned by any one of the participating country or  a consortium of countries like the “Board of CBDCs” which can be created to replace SWIFT.

At the same time, a thought arises if CBDC-R may also be  made relevant by creating an exchange mechanism within India between the E-Rupee in retail with the UPI system.

Currently in the UPI system, the requests between the payer and the receiver is routed through the NPCI to the respective banks who initiate the bank to bank transfer of money. These transactions directly debit or credit the rupee balances in the account.

In case the customer keeps the funds in E-Rupee form and created a link between his normal account with a Zero Balance,  then there can be a E-Rupee Exchange mechanism where by the UPI request can be directly routed to the E-Rupee Clearing house along with the destination Bank identity where the credit can be  given either to the E-Rupee account of the receiver or to his regular account.

In such  a system all existing Checking accounts would be like “BSPs” or “Banking  Service Providers” where digital instructions pass through automatically. Any need to convert the E-Rupee  into physical  cash can be routed through the regular account where as Bank to Bank transfers can be conducted through E-Rupee exchange system.

We need to explore if such a system may be helpful in reducing Banking costs and reducing the frauds.

Request views of experts on whether this makes sense.

Naavi

It is legally correct to say that DPDPA does not directly impose any liability  directly under the Act to Data Processors. The law only mandates that the Data Fiduciaries shall be responsible even for the processing done by the Data Processor.

It is however not ethical for Data Processors to think that they have no responsibility towards the data fiduciary being in compliance with the law. If necessary they have to take the lead and alert the data fiduciary if there is any risk of non compliance. This also makes prudent commercial sense since if there is a penalty on the data fiduciary and his business is shaken, the downstream data processor may also lose an opportunity to grow with the data fiduciary.

Currently the Data Fiduciary enters  into a contract to protect his responsibilities under DPDPA and  directs the Data Processor on how to process the  data in compliance with the DPDPA.  The Data Processor Contract therefore is not limited  to the commercial benefits or functional requirements but should have a clear description of the Data Processing responsibilities.  A DPDPA compliant Data Processing Contract will therefore have necessary data protection related clauses.

Though DPDPA might not have specified liabilities to the data processor directly, it should be recognized that Section 72A of ITA 2000 creates a liability for the data processor if a Data Processing Contract involving “Personal Data” is violated.

Recognizing the need therefore for Data Processors to be responsible for DPDPA Compliance, FDPPI promotes that a Data Processor should take measures to be compliant with DPDPA as if he is a “Deemed Data Fiduciary”.

In this context DGPSI (Data Governance and Protection Standard of India) has introduced a variant framework DGPSI-Data Processors exclusively to address the need for Data Processors to be voluntarily compliant with DPDPA.

The DGPSI-DP as it is being referred to adopts the unique principle that  “A Data Processor inherits the responsibilities of the data fiduciary through  the contract”. Under this principle, Data processor should look through the contract as if it is a transparent glass and  view the DPDPA on the other side.

Since many data processors are bigger than the data fiduciaries themselves, the voluntary adoption of DGPSI-DP by them will provide confidence to the Data Fiduciaries to use their services. This is ideal for such businesses who run a “Platform” for a specialized data processing service and invite data fiduciaries to use them.

According to the inheritance principle, a Data Processor of a Significant Data Fiduciary is a “Significant Data Processor” and needs to show the same level of responsibility that the Significant Data Fiduciary is expected to show.

As a part of this, the  Data Processor depending  on the volume and sensitivity of data processed by him cumulatively as an organization,  needs to conduct a DPIA, designate an internal DPO and also conduct external  Data Audits from time to time.

The DGPSI-DP is built therefore to reflect both the contractual obligations without losing sight of  DPDPA  liabilities.

We therefore urge all Data Processors to start understanding the essence of DPDPA and take steps to be in compliance. They should also realize that every Data Processor will himself be a Data Fiduciary to the  extent of the Data of employees. Hence there is no clean escape  from DPDPA for any Data Processor. They can however explore the DGPSI-HR as a framework for their manpower related obligations while looking at DGPSI-DP for compliance related to their data processing Contracts.

Hence, emancipated Data Processors should look for a combination of DGPSI-DP and DGPSI-HR  and this will be a hallmark of Ethical responsibility that an organization may exhibit in terms of certifications.

In the coming days we should not be surprised if ISO certification marks may be replaced with DGPSI certification marks on the  websites of responsible companies as a symbol of assurance.

Naavi

Yesterday a cream of professionals in the Data Protection domain congregated to discuss a  framework of compliance titled “DGPSI-HR”.

Since it was the first exposure of this framework, it was a time for most to absorb the information  and contemplate the implications of what was discussed.

I have started receiving some queries in this regard and  would be happy to discuss the same and continue the debate.

Question 1: 

While there is already a framework DGPSI-Full and  DGPSI-Lite which can be extended to DGPSI-AI, one of the first thoughts is what additional business needs that this new framework will address. ?

It is a pertinent question. DPDPA is a law and is conceptually a framework of its own. This has been captured in the DGPSI-Lite version which is a simple conversion of compliance clauses in DPDPA into a framework.

DGPSI -Full is a broader framework that adds certain governance issues and also enables DTS calculation. It is more comprehensive than DGPSI Lite and includes some higher level concepts such as Data Valuation and Distributed Responsibility.

However  the Data Driven industry has some sectors to whom a sharper framework that addresses specific needs are required.

There were a few such sectors which were under consideration for us to think of DGPSI-HR.

One was the a large section of ancillary manufacturing industries typically the units in an industrial estate where there is one engineering entrepreneur who engages 10 workers and a few lathes or similar equipment and manufactures   goods for specific customers.

DPDPA is applicable to such units and there is no specific dilution of the Act. I agree that the Government is empowered to provide some exemptions under Section 17 for such units and in fact may do so in the next 5 years. However, till such time law provides concessions we need to assist such organizations to be compliant to the law without too much of a pain.  Such organizations mainly handles “Business Contact Data” and  does  not process personal data of the public. They do process the personal data of the employees some of them may be covered by employment contract and some under contract.

Such companies need to have a simpler version of DGPSI.DGPSI-HR may be  more than sufficient for them to be compliant with the DPDPA.

Secondly there are many HR service  organizations who are into back ground verification, payroll management, manpower hunting and placement etc. Such activities are project based activities which  have joint data fiduciary responsibilities for the project.  They “employ and deploy” human resources under a B2B contract with customers where these employees will process personal data of the customers. They may also “Contract and deploy” in some cases.

Thirdly in the health care sector there could be hospitals which engage medical practitioners on contract basis to render services as part of the hospital service but with the expert being in full control of the activity and often using the data for presentation for research and other purposes as a joint data fiduciary.

Fourthly there are many large IT organizations who work on “Employ and Deploy” model where they send their employees to work in client’s place. Such organisations can consider segregating this activity into a subsidiary activity and function like a Hybrid entity.  In such a case DGPSI-HR may become useful as a focussed implementation framework for such a subsidiary.

It was necessary to innovate the new framework to address such instances.

We invite  more use-cases to be referred so that we can continue to debate how the framework will be a useful for both the industry and the data auditors.

Naavi